[VIDEO] Gateway Configuration

When Branch or Cloud Connectors are booted, they automatically locate the geographically nearest and best performing Zscaler PoPs to connect to for both primary and secondary data tunnels. In some situations, however, a customer may wish to have more control over this automation. For instance, in some regulatory or compliance use-cases, a requirement exists that the ZIA proxy exists within the same country as where the traffic originates. Or, when private Virtual Zscaler Enforcement Nodes are deployed, a customer may wish to manually steer traffic towards these appliances instead of public gateways. Likewise, for troubleshooting purposes, allowing one to flexibly control where their Cloud Connector appliances terminate is advantageous. Furthermore, the ability to export logs off of the appliance itself can be granted when configuring a Log and Control Gateway.

In this video, we’ll explore:
[0:00 to 0:50] Overview of Gateway Functionality
[0:50 to 2:50] Configuring and implementing Gateways
[2:50 to 3:24] Key Takeaways

"Transcript

Hello, my name is Aaron and I’m one of the Principal Technical Product Specialists for Zscaler Cloud Workload Protection.

In this video, we’ll discuss how you can adjust the Cloud Connector appliance to utilize specific gateways for ZIA as well as Logging and Control.

When Branch or Cloud Connectors are booted, they automatically locate the geographically nearest and best performing Zscaler PoPs to connect to for both primary and secondary data tunnels. In some situations, however, a customer may wish to have more control over this automation. For instance, in some regulatory or compliance use-cases, a requirement exists that the ZIA proxy exists within the same country as where the traffic originates. Likewise, for troubleshooting purposes, allowing one to flexibly control where their Cloud Connector appliances terminate is advantageous. Furthermore, the ability to export logs off of the appliance itself can be granted when configuring a Log and Control Gateway.

For these use-cases and others, Zscaler Cloud Connector portal offers Gateway configuration…

Notice the two Gateway types available: ZIA and Log and Control. As mentioned, by default, the ZIA Gateway will automatically choose primary and secondary Zscaler facilities to connect to. Should you want to change this behavior, click the Add ZIA Gateway button.

Provide a name and determine how the primary tunnel shall be established. Automatic allows the appliance to continue in its default behavior, Manual allows you to specify specific Zscaler PoPs to use and Override allows you to enter an individual IP address of the Zscaler PoP you wish to connect to. This option is useful when a customer hosts their own virtual ZEN and they want to force Cloud Connector to utilize it.

Likewise, determine how the secondary tunnel will be terminated.

As the last step, choose how traffic is handled when the appliance fails to reach the primary and secondary Gateways. By default, the appliance drops this traffic. By leaving the fail-close option disabled, however, the appliance will simply forward the Internet-bound traffic out its local interface without proxying.

Click the Save button when finished.

Click the Log and Control Gateway tab…

Here, we can configure how the Cloud Connector exports traffic logs for ZIA and DNS control logs. Generally speaking, you should only adjust this under the direction of Zscaler support/engineering, though the workflow is exactly the same.

Once a new gateway has been created, navigate to the Forwarding, Traffic Forwarding menu. Here you can create Forwarding Policies to instruct the appliance on how to handle certain types of traffic. Be sure to check out the Policies video linked in the description for more information on this.

For the purposes of this video, click the Add Traffic Forwarding Rule. Provide a name and order, then set the Forwarding Method to ZIA. In the Criteria fields, identify the traffic that will utilize your new Gateway. For example, in countries where data sovereignty is a requirement, you may select all the Cloud Connector appliances hosted within that region of the world as the match criteria. Hence, traffic coming from these appliances will automatically be forwarded to the gateway you selected previously.

In the Actions field, select your new gateway and click the Save button. Then, activate your change.

Likewise, if you created a Log and Control Gateway, these Gateways can be applied in a similar fashion to the Log and Control Forwarding policy, as shown on your screen.

– Cloud Connector appliances automatically select proxy and logging gateways to connect to when booted up

– Some circumstances, however, require the administrator to define these gateways manually - such as in data sovereignty use-cases

– Gateway preferences can be configured and applied through the Cloud Connector portal

– Zscaler Cloud Connector supports customization of both ZIA Gateways as well as Log and Control Gateways

2 Likes